[rthrowayay]

Customers running js on your server in a Java VM doesn't sound very secure. I could be wrong but when I see Java I get the suspicion that user code and privileged server code are running in the same process. Of course they could have a properly sandboxed java process and are just using Java because that is what they are familiar with.

[andrewvc]

That perspective is somewhat dated to be blunt. A modern Java deployment would be identical security wise to node, with one app per Java process running with the minimum of privileges.

[sk5t]

I think you are being very polite here. Fearing the JRE/JVM in this particular way falls somewhere between superstitious and ignorant.

[EdwardDiego]

I have no worries, because I make sure to sacrifice chickens to my Tomcat apps each day. Although going into the cloud is making it trickier, chickens generally can't fly that high.

[rthrowayay]

It is unsafe to mix trusted and untrusted code in the same process. This is why Chrome runs the renderer in a separate process. My concern is that using Java to execute JS increases the probability they are doing this bad mixing. They could be doing it safely but it increases my suspicion.